CSI: Cyber (2015) s01e10 Episode Script

Click Your Poison

My name is Avery Ryan.
I was a victim of cyber crime.
Like you, I posted on social media, checked my bank account balance online, even kept the confidential files of my psychological practice on my computer.
Then I was hacked, and as a result, one of my patients was murdered.
My investigation into her death led me to the FBI, where I joined a team of cyber experts to wage a war against a new breed of criminal hiding on the Deep Web infiltrating our daily lives in ways we never imagined faceless nameless lurking inside our devices, just a keystroke away.
Coffee, thanks.
Okay.
Here you go.
Hey! Watch it, man! Hey! Get out of the street, man.
Get an ambulance! I'll call 911.
Cleveland coroner sent this scan of victim Carl Bruno: Male, 36.
C.
O.
D.
Was blunt force trauma from vehicular impact.
Witnesses described him as being disoriented and possibly hallucinating just prior to the accident.
How did Mr.
Bruno's death get on the FDA's radar? This prescription bottle was found at the accident scene.
They're drugs purchased from an online Canadian pharmacy.
JPBPharmacy.
com.
The Federal Drug Administration has been tracking this pharmacy for about two weeks based on complaints coming in to our MedWatch hotline.
The callers all have similar stories.
Bad reactions to drugs they've purchased online.
No one's died until now.
The FDA has an investigative arm OCI.
Why come to Cyber? We believe there are fraudulent ads on the medical Web site, ScrollMD.
Over 800,000 people visit the site a day, most seeking a second opinion, searching for general health conditions, others for specific drugs.
The site users are being lured to JPBPharmacy.
com through these unauthorized ads.
The ads are redirecting site users to what could be a fictitious pharmacy.
Sounds like a click-baiting scheme.
Tramizor is the drug Carl Bruno ordered.
It's used to treat heart disease, but the victim's arterial walls show considerable plaque build-up.
The drug was ineffective.
Because it had little to no pharmacological ingredient.
Carl Bruno was duped into buying what he thought was real Tramizor, when, in fact, it was a placebo.
Not just a placebo.
There's signs of inflammation in the brain.
Tox report revealed trace amounts of aflatoxins.
Fungus? Along with oxycodone a pain reliever, mood enhancer.
So the victims felt like they were getting better while they were taking the drugs, when, actually, they weren't.
Carl Bruno's death wasn't an accident.
It was homicide.
What's the latest on the ScrollMD Web site? HTML injection.
Check it out.
Someone hacked a curtain ad on the ScrollMD site.
Looks like a normal ad, right? And this is the code for the ad, but peekaboo.
There's actually two codes written right on top of each other.
A click-baiting scheme.
- Right.
- Like Avery predicted.
And if you toggle between them, the fake ad is masking the legitimate ad.
The target had to breach the ScrollMD servers to inject this code.
So ScrollMD wasn't aware of the intrusion? No, and it's not just about the ads.
It's about how people are getting to the ads.
So if you search "heart disease," like our vic, you get the heart disease info page.
Fine, okay, but if you search general symptoms like "fatigue," or "nausea" and you click around long enough, you end up At the heart disease info page.
Yeah, I tried it, too.
Got this rash on my elbow.
It it's not on his elbow.
Look, I searched "rash," then it took me down some wormhole of related symptoms, and then, eventually, I ended up on a page - that said I had cancer.
- The algorithm was designed to take any symptom that you type in "fatigue," "insomnia," "dizziness" and you get "heart disease.
" Next thing you know, you're paranoid, self-diagnosing, thinking you have symptoms you don't even have.
Taking advantage of the closet hypochondriac in all of us.
Exactly.
Except in your case, Nelson.
I'd get that, uh, elbow rash checked out.
What? Our phony pharmacy is not just selling Tramizor.
We've discovered nine other drugs.
I got Damitrol for high blood pressure.
Anfedril, that's diabetes.
Lindrexia, that's that miracle cancer drug.
How do you know so much about prescription drugs? Ah, just research.
You know I like to stay informed.
You're a hypochondriac.
- No.
- Mm.
As much as I love being psychoanalyzed, we've got a target that needs to be profiled.
Okay, he, like you, is organized, ambitious, sophisticated, tech-savvy.
The drugs he's chosen to distribute are the most expensive and sought-after in their categories.
Modern day snake oil salesman.
You know, it used to be these guys were selling their wares out of car trunks, and now Well, this guy's masquerading on the Internet.
He could have links to organized crime.
Gangs and cartels already have distribution networks.
Well, the penalties for counterfeiting pharmaceuticals are less severe than trafficking narcotics.
You think he's trying to lure people into the Deep Web? You know, that's the scary part.
He doesn't have to.
He's operating almost entirely on the Surface Web, where he can reach millions of everyday citizens.
Well, does that give us a better chance of drawing him into the real world? Not necessarily.
Guys like him know how to operate out in the open without getting caught.
Which, in a way, makes him more elusive And more dangerous.
Sifter.
Wait, who? She's here now? Uh, escort her up.
Mrs.
Bruno, I'm Assistant Deputy Director Simon Sifter.
This is Special Agent Avery Ryan.
The FDA told me you were handling my husband's case.
Right, I am so sorry for your loss, but I'm afraid we don't have any answers yet.
I had I had to come.
It's all right, Mrs.
Bruno.
It's only natural you'd have questions.
It was me.
I'm responsible for my husband's death.
I was the one who bought the Tramizor for Carl.
Last summer, he had a heart attack, and his doctor prescribed Tramizor to prevent another one.
Our insurance plan changed.
They didn't cover this particular medication.
We had to decide.
Pay for Carl's meds or buy groceries.
So I went online.
When I saw the ad for the pharmacy, I was so relieved.
I just assumed that because it was on ScrollMD, it was safe.
Carl was skeptical.
He thought it was too good to be true.
But we were desperate, and when the pill looked identical to the real thing Did you ever speak with anybody or attempt to contact the pharmacy by phone or? My only contact was online.
I was so stupid to trust this Web site, and I printed every receipt and e-mail.
I looked for anything to help your investigation.
JPB Pharmacy.
We were on a monthly plan.
They delivered that package yesterday.
Hmm, no return address, but there is a return zip code.
This is what we got? To hunt down one zip code on a postmark? Yep, Avery wants us to filter this down to the one machine that stamped this package by the time she lands in San Antonio.
Okay.
Tell you what.
We'll take turns filtering the data.
First one to get stumped takes the late shift for three weekends straight.
Okay, I'll go first.
Let's nix all the machines with IP addresses associated with big corporations.
Executive assistants and guys in the mail room probably aren't counterfeit drug lords.
The machines record the weight and postage of each package, so let's just eliminate all the ones that only sent out letters.
Bam! Beat that.
Okay.
Package cost $1.
82.
We just eliminate any machine that didn't record $1.
82, okay? Okay, big bro, let me run with that.
The meter stamp also has a date, and since we already know the postage - $1.
82.
we can eliminate any machine that didn't record that amount on this same date.
That's only four left.
I got this I got this, I got this.
Package weighs 5.
3 ounces.
Meter machine is accurate to a tenth of an ounce.
So which of the remaining four machines sent out a package costing $1.
82, weighing 5.
3 ounces, on this exact date? Mm-hmm.
- Yeah! - That's what I'm talking about.
Go ahead and pull up that Internet service provider, man.
Okay, I'm getting the hard location for the IP address now.
Looks like you're gonna be enjoying the late shift, my friend.
- Who, me? - Yeah, you.
- Uh-uh.
- Uh-huh.
Oh, got an address.
Avery, it's me.
545 Oakland Way, San Antonio.
FBI! Open up! Show me your hands! Turn around, slowly.
I have a theory, Paul.
You tell me if I'm in the ballpark.
You're involved with an illegal prescription drug ring, scamming people over the Internet.
You're not the boss, you're just a middleman.
You took this job not for the money, but because you need access to the same drugs you're distributing.
I'm assuming Lindrexia? You have cancer? Oh, congratulations.
You get a gold star.
Paul, the drugs you're taking are counterfeit.
They're full of toxic contaminants that are making you sicker.
That's not true, I'm feeling better.
That's because they're also laced with oxycodone.
That's what's relieving your pain, making you feel euphoric.
I'm getting better.
I know I am.
Have to be.
How were you first contacted about this job? I met a guy on a cancer support chat group online.
Said he had access to black market Lindrexia, and said I could have some, if I helped him distribute it.
Did you ever meet with him in person? No.
Never.
It was always a dead drop.
No one was ever there.
Lung cancer.
Kicked it twice.
Came back a third time.
I asked my doctors for Lindrexia, and they said no.
See, the thing is, it's a miracle drug, but that miracle's only approved for first- and second-line patients.
If you're a third-timer like me, well, you're crap out of luck.
Doctors say I'm a lost cause.
Well, it's not just phony Lindrexia that you're shipping out.
There are nine other drugs, one of them a heart medication.
Killed a man in Cleveland.
Well, the packages I get are already sealed.
My job is just to stamp 'em and ship 'em out.
Look, this is, this is just supposed to be a way around the drug companies.
I just wanted to help people.
Just wanted to help people.
And now you're telling me I killed a man? Guy who died how old was he? He was about your age.
Figures.
Death always finds a way.
Are you okay, Paul? I'm fine.
I'm gonna get you some water.
I just need a minute.
No, no, no, no! - Aah - We need some help in here! Someone get first aid! Yeah, I need an ambulance.
Ah no Stay with me, Paul! Stay with me, Paul, stay with me.
Paul, stay with me! You okay? Yeah.
Our target's a twisted son of a bitch.
He's not just cheating sick people, he's using the most desperate ones to do his dirty work.
Why hire a guy like Paul? Because he was hopeful.
Paul wasn't doing it for the money.
He wouldn't ask any questions.
He just wanted to live.
He just wanted everyone to live.
Which tells me that our target is a sociopath, lacking empathy and remorse.
He didn't care that Paul was a cancer victim; he just saw him as a pawn that could be manipulated and controlled.
You still think our target's part of - an organized crime ring? - If he were, he'd have a member of his crew doing that job.
Our target is running a much leaner operation.
Yeah.
So lean our only lead is on his way to the ICU.
Well, maybe Paul's phone could do the talking.
Paul mentioned something about a dead drop, where he was picking up pills.
I'll pull up his "Frequent Locations.
" Show me "Journey Mode.
" You're checking for a pattern.
Yeah.
There.
On the days that Paul left his house, he never left before noon.
Looks like he averaged five or six stops.
Once a week, he'd leave the house, make one stop at 9:00 a.
m.
, drive directly back.
That's got to be the address of the dead drop location.
According to this schedule, next pickup's not for another three days.
We don't have time.
We have to pull the traffic cam footage of the area.
If Paul was picking up drugs, someone was dropping them off.
Do you think this is where our target surfaced in the real world? There's only one way to find out.
And you're sure about this? Yeah.
My techs confirmed it today.
It's an HTML injection on your site that's causing site visitors to access malicious ads.
Well, my network security is top-notch.
We'll have to look into this and make sure it's accurate.
Marcus, all due respect it's accurate.
Your security has gaping holes.
Look, I'm here as a friend.
I could have called, but I just felt this was something best explained in person.
Well, pardon me if I hesitate to thank you.
Look, I don't want ScrollMD to face any undue embarrassment, so just, please, take down the infected ads immediately and have your techs scrub your servers for any other malicious code.
Sure, fine.
Anything else? Uh, yeah, actually.
Consider reaching out to the victim's wife, Jane Bruno.
Extend your condolences.
Most importantly, issue a public warning on your home page.
That's the most efficient way of reaching people who might have these drugs currently sitting in their medicine cabinets.
No, that's a step too far, Simon.
Talk about embarrassment.
A-A public warning saying that we were breached? It would create a PR nightmare for us.
Not to mention it opens us up to liability.
The widow could sue.
I could lose millions in sponsors.
A man died because of your Web site.
And I feel badly about that.
But ScrollMD was a victim, too.
Our Web site was attacked.
I can't issue that warning.
You can't or you won't? I won't.
That one.
It shows the entrance to the dead drop location.
Take me back to the time of the last pickup.
Okay.
There's Paul.
Okay, take the footage back.
We're looking for anyone else going in or out that door.
There.
Rewind that.
Play that back.
You gotta be kidding me.
The target's using an IR LED array.
Makes his license plate unreadable to cameras.
Can we make an I.
D? Let's see here No.
Can't see his face.
Too far away.
What is it? Our target was driving a newer model SUV, probably equipped with Bluetooth, phone, radio All four tires give off Bluetooth signals to report when they're low on pressure.
What are you thinking? See that little white box right there? It's a Department of Transportation traffic monitoring system.
Picks up Bluetooth signals to report traffic patterns.
The D.
O.
T.
Keeps a record of every Bluetooth device it pairs with.
That's our digital fingerprint.
We match that to the SUV's VIN number, and we get the driver's ID and registration from the DMV.
Yeah, only one problem the D.
O.
T.
Only keeps the data for 20 minutes.
You really believe that? Bluetooth is a hacker's best friend.
What time was the IR LED flash detected by the traffic cam? Can you put the newscast on the big screen? Okay, these are the Bluetooth devices that paired with the D.
O.
T.
Traffic box at the same time.
Looks like it.
You should be able to trust the Web sites you visit.
They should be responsible for the content of the ads that are on their sites.
My husband is dead because someone was negligent.
Today I went to ScrollMD headquarters.
No one would talk to me.
They escorted me out.
They say they're all about helping people, but all they care about is the bottom line.
Hey, I've got something here.
All right, talk to me.
We just ran the VIN number of our target's SUV through the Texas DMV database and got a hit.
All right, get Avery on the phone.
Nelson, I've got a job for you.
Come see me in my office after this.
You don't want Krumitz to come, too? I mean, because we've been tag-teaming everything.
Just you.
Simon? Avery, we found the driver of the SUV.
Target's name is Randall Fung.
FBI! Go, go, go! My side's clear! Shooters come out.
All clear, sir! Totally clear! FBI! Hands up, let me see your hands! FBI! Don't move! Get down, get down! Do not move! On the ground! Hands behind your back! Randall Fung, turn around.
Hands behind your back.
Mold.
The aflatoxins.
This is what's making the victims sick.
I've seen some nasty-ass crap, but this is disgusting.
You keep looking at the pills, not the computer.
You know what that tells me? That you're a trained chemist, not a cyber criminal.
Which means you're only half this operation.
You're the pill cook.
Randall, we got you on fraud, conspiracy, trafficking counterfeit goods, and a man died because of what you did.
You're looking at murder and a hell of a lot of jail time, unless you can tell us where your better half is.
Now, if you talk, maybe we can make a deal.
Bag the computers and devices and bring 'em back to DC.
We're still looking for the head of this snake.
What the hell did you do, Simon? Wow, you seem a little upset, Marcus.
Is this a discussion we should be having by my parking space? My entire Web site is down.
Every time my techs try to get it back online, it crashes again.
Sounds like a distributed denial-of-service attack.
Ah, those can take days, weeks to sort out.
I can certainly have my team look into it.
Your team? You son of a bitch.
And I'm guessing you also had something to do with the media attack Carl Bruno's wife has been waging? Hey, look at that, you do know the victim's name.
What do you want, Simon? Same thing Jane Bruno wants for you and ScrollMD to be held accountable.
And maybe if you spoke with her, instead of just escorting her out I am not gonna negotiate with you.
You know, Marcus, in the next few weeks, it's gonna be more than your site that's crashing.
That's not a threat, that's reality.
Who knows what's next? Dirty vaccines? Tainted antibiotics? Millions of people visit your site every month.
And whether they get cured or they get killed might just depend on you.
Look, I know they scrubbed these devices of mold and spores and whatnot, but, uh, I am starting to itch a little bit.
Wait wait, w-wait.
Hold up.
Go back.
Look familiar to you? Both Paul and Randall had the exact same online poker site bookmarked on their devices.
Could be a coincidence.
Yeah, we were thinking that, too.
Until we checked the user history on both devices we stopped thinking that.
For the last two months, both these guys logged on to the same poker site every Saturday.
Were they playing each other? No, but look where they sat.
A no-limit, heads-up table.
Means they each played an opponent one-on-one.
And for no more than three minutes.
- Three minutes? - Mm-hmm.
That's barely enough time to play one hand.
True, but that's all they ever play.
I mean, you log in, sit, play a hand, win, log out.
Paul and Randall weren't playing poker.
They were getting paid for their services.
This is how our target pays his crew.
I bet this is also how our target washes his money.
Hackers love using online poker to launder funds.
It's hard to track.
But not impossible.
You still want to argue you're not a hypochondriac? This is not about me.
Oh, my wife, she hates shots.
And the doctor put her on these pills for the flu.
A preventative measure because of her weakened immune system.
I don't know, just being cautious, I guess.
Did you really think Kathryn's doctor prescribed her phony meds? Hearing Jane Bruno's story, I mean, this could happen to anyone.
Yesterday, I met an intelligent, qualified doctor who fell down a slippery slope and ended up in the target's trap.
There's a nationwide shortage of Doxaflu.
Yeah, it's just hard to believe your only option was an online pharmacy.
I have high-risk patients children, pregnant women, the elderly.
I wanted to make sure that my patients were protected.
Yeah, I mean look, I know we need to be able to trust in certain things doctors, medicine.
It's just hard when When our target's taking advantage of that trust.
And now, besides the nine pharmaceutical drugs our target was distributing, he's escalated to a common flu medication.
He's expanding his business.
Sounds to me like he's looking for a big payday, so he can cash out and run.
Yeah, how do we get to him before he does? So, based on your previous psychological profile of the target, can you build a physical description? Well, our target is most likely male, based on his tech skills and his sociopathic tendencies.
He sees people as dollar signs.
He has no empathy, no conscience.
Age range? Coders fall into one of four categories young adolescents, college students, professionals, or mature and reformed ex-virus writers.
But our target is a professional.
Which puts him in the early 20s to mid-40s range.
He's made an art of blending in.
Hiding in plain sight.
He's average-looking, inconspicuous.
He won't wear his hair too long or too short.
He's likely to have poor social skills.
A recluse.
He won't want to leave home unless he has to.
He likes to live his life behind a computer screen.
But if he does leave the house, he'll want to disguise himself.
But nothing that draws too much attention.
Glasses.
With thick frames.
He likes to have a barrier between himself and the rest of the world.
It gives him a false sense of security.
All right, what do we got? Male, 20s to 40s, glasses, hair medium length.
That is not a whole lot to go on.
It's enough.
We will know him when we see him.
Now we just have to give him a reason to pop out into the real world.
How do you propose we do that? Money.
I need $250,000.
Uh, for what exactly, Avery? A little game of poker.
All right, everybody, listen up.
Time to put your game face on.
Once our target receives a big payment, he's gonna launder it using the same online poker site he used to pay his crew.
He's gonna be evasive, and he's gonna be fast, but we're gonna be faster.
Avery, you sure this is a good idea? Our target's gonna know we're not a doctor's office.
He's gonna trace that quarter mil right back to us.
Our raid on his pill factory put him on the ropes.
His operation is crippled.
He's gonna want to cash out and run, even if he knows it's government coin.
He's compulsive, overconfident and self-serving.
He's always looking for his next big score.
And you think he's gonna make a mistake? A mistake born of greed.
He made a fortune preying on the weaknesses of others.
And we're gonna catch him because his weakness is he's cocky.
Here goes nothing.
We just bought $250,000 worth of drugs.
Krumitz, you're up.
Okay.
Our target uses a Dollar Dispatch account for his pharmacy transactions.
No previous history.
It's a one-off account.
Uh-huh.
There's our 250 Gs.
Nobody freak out.
It's about to disappear.
Our target is opening a new Dollar Dispatch account for every drug transaction.
- Nelson? - All right.
So, our target's favorite online poker site.
Now, we have full administrative privileges, which means we're like the pit boss.
We can see whatever screen we want.
Pull up the lobby.
Go to the no-limit, heads-up tables.
The target should buy in for $250K.
Wait for it.
There he is! Phantom23.
We got him! - See? - Yes.
- Got him.
- Got him.
He's at table 26.
He's going all in on that first hand.
He just folded on a full house.
Remember, every time he loses, he's really losing to himself.
With every hand, he's laundering the money one step further.
Odyssey45 is just another handle he created for himself in the poker game.
All right, he's on the move.
Who's got eyes on Odyssey45? I do.
He's at table 84.
He's on the move again as Emerald62.
There he is, table nine.
Wait, he's not going all in anymore.
He's only bidding half.
Sneaky sucker.
He divided the money so it's harder to track.
He's jumping tables again.
Damn it! Look, there's, like, four of them.
Remember, he's playing against himself.
He's playing at more tables.
That's six.
Now eight sixteen He's using an algorithm.
Just stay with him.
Just isolate the games our target's playing.
He's moving too fast.
Do not lose him.
Wait, look at his bets.
He's going all-in again, there and there.
Yeah, he's recombining his laundered assets.
He's getting ready to cash out.
Look for a player who starts to dominate.
I think I got him, Hydrus99.
Earnings just climbed to $159,000.
Krumitz, trace the bank account link to Hydrus99.
He'll have to show at the bank in person to cash out.
I can't.
There's a, there's a separation of privileges on this server.
It's like a traffic light system.
Green's what the players can access, yellow's administrator access, and red's where the bank accounts are stored.
No, no, no, no.
We should have access to both yellow and red.
I specifically asked for it.
I know, but I can't access the red.
There's a whole extra layer of encryption.
Wait, wait, wait.
I think I can get in, but it's gonna have to authenticate me.
It's gonna take some time.
Time we don't have.
He's up to $184,000.
$202,000.
Guys, come on, he hits 250, he's gone.
Look, we don't have time.
Look, we have to hack it.
- Just do it.
- There's a bridge between each zone.
Krummy, we have to ride one of them from yellow to red.
Yeah.
He did it.
He hit $250,000.
Did we get it? Sorry, we, uh, we couldn't, um Wait a minute.
That's it? It's He's gone? It's over? No.
No.
There still might be a trace of him in the system.
What do you mean, Nelson? Because his winnings in the yellow zone still have to communicate with his bank account in the red zone.
That's our bridge.
We need to plant a bug in that line of communication.
We can ride it into the red and straight into his bank account.
Infect the firewall with a virus.
Yeah! Holy crap, we did it.
The target's bank account is at Keymark Bank, Lexington, Kentucky.
Yes.
Good work.
It's after banking hours, which means our target can't cash out till the morning.
Let's be there when he does.
I'd like to close my account.
Your account number? That's a lot of money.
Looking to make a fresh start.
I'd like that in a cashier's check.
Okay, okay.
Shawn Morris, looks like the last life you gambled away was yours.
All right, hey! To an epic win today.
Cheers! - Cheers.
- Good work, people.
All right, you know we made the same toast when we busted you, right? Oh, you just got to rub it in.
Look, I'm nothing like the guy we arrested today, okay? Shawn Morris, guy's like a sociopath.
Probably still lives in the basement with his parents, never been near a girl, and uses code for evil.
And hacking the New York Stock Exchange was any different? It was.
His code killed people.
My code just made bankers and stockholders mad - for a day or two.
- So, then he was a black hat with bad intentions, and you were what? An innovator.
A revolutionary.
Sounds like you're just a guy talking a whole bunch of smack.
- Smack! - See, you got to know what it's like on the other side to know what I'm talking about.
Now, don't get me wrong, it feels good to know that we did save lives by, you know, getting over a hundred contaminated drugs off the streets.
Yep, stopped it before it became an epidemic.
That's how we do, son.
- That's right, baby.
- Mm.
Got to go.
I got daddy duty.
- Good work.
- All right.
Man's a superhero with a kid.
- -Hey, I thought you drank everything in those 82-ounce cups.
They're not that big.
Today I am proud to announce that ScrollMD will be the first Web site of its kind to issue a public warning on its home page alerting users to the dangers of fraudulent online advertising.
We will also lead an initiative in Congress to ensure that all health Web sites maintain a higher level of security.
That was you, wasn't it? We'll be following that story as it progresses Well, I did apply a little pressure.
And how is Kathryn? Is she still under the weather? I just texted her.
She's-she's much better, thanks.
Yeah, I may be coming down with the same thing she's got.
I got kind of an itchy throat.
You know? Oh, please, don't start.
To our health.

Previous EpisodeNext Episode